Catalina - Control Connections to Other Systems via a Deny-All and Allow-by-Exception Firewall Policy

Information

A deny-all and allow-by-exception firewall policy _MUST_ be employed for managing connections to other systems.

Organizations _MUST_ ensure the built-in packet filter firewall is configured correctly to employ the default deny rule.

Failure to restrict network connectivity to authorized systems permits inbound connections from malicious systems. It also permits outbound connections that may facilitate the exfiltration of data.

If you are using a third-party firewall solution, this setting does not apply.

[IMPORTANT]
====
Configuring the built-in packet filter firewall to employ the default deny rule has the potential to interfere with applications on the system in an unpredictable manner. Information System Security Officers (ISSOs) may make the risk-based decision not to configure the built-in packet filter firewall to employ the default deny rule to avoid losing functionality, but they are advised to first fully weigh the potential risks posed to their organization.
====

Solution

NOTE: See the firewall supplemental which includes a script that has an example policy to implement this rule.

See Also

https://github.com/usnistgov/macos_security

Item Details

Category: ACCESS CONTROL, SECURITY ASSESSMENT AND AUTHORIZATION, CONFIGURATION MANAGEMENT, SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|AC-4, 800-53|CA-3(5), 800-53|CM-6b., 800-53|SC-7(5), CCE|CCE-84756-6, CCI|CCI-000366, CCI|CCI-002080, STIG-ID|AOSX-15-005051

Plugin: Unix

Control ID: 7d3c6339bb1509e586611fd1d3a2ccd6fd996d50b7e4ec2b22b49a4950694a49